Privacy Policy pursuant to and for the purposes of articles 13/14 Regulation (EU) 2016/679 (GDPR)

JOINTLY CONTROLLERS:

WeRoad S.p.A. 

a company belonging to OneDay Group,  which has its registered office in Milan, Viale Cassala, 30, 20143, Italy, Tax Code and VAT 10380820968  

WeRoad Italia Srl

Viale Cassala 30, 20143 Milano – Tax Code and VAT 12474100968

WeRoad UK Ltd

Work Moor Place, 1 Fore Street Avenue, London,EC2Y 9DT, United Kingdom

WeRoad France SAS

33, rue La Fayette, 75008, Paris, France SIRET 917 797 789 00018

WeRoad Viajes S.L.

Calle de José Abascal, 41, 28003 Madrid, Spain, CIF B88540117

WeRoad Germany GmbH

Rudi-Dutschke-Straße 23, 10969 Berlin, VAT DE355720276

WeRoad Swiss SAGL

Via Maestri Comacini 4 6830 Chiasso (CH)

(“Joint Controller“).

The Joint Data Controllers have signed a data joint controller agreement, pursuant to art. 26 of the GDPR, whose essential content can be viewed by interested parties upon request to be sent by email.

Contacts:

The Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of Regulation (EU) 2016/679 (GDPR). The Data Protection Officer can be contacted at the following email address: [email protected]

TYPE OF DATA PROCESSED

Personal data

  • Personal and contact details (email and mobile phone)
  • Data relating to professional skills and career and in general the data contained in the CV
  • Image and voice of the applicant included in the presentation video
  • personal website
  • Portfolio
  • Data contained in cover letters
  • Data collected during recruiting days (i.e. bootcamp)

Special Data

  • Special categories of data such as situations of disability, illness, pregnancy, accident, health data relating to suitability for certain jobs, belonging to protected categories etc.

(“Data”)

SOURCE OF PROCESSED DATA

  • “career” section included in each Joint Controller’s website
  • Application on LinkedIn
  • Email 
  • Instagram messages to the Joint Controller
  • Data collected during Bootcamp or other recruiting days organized by the Joint Data Controller

PURPOSES OF PROCESSING AND LEGAL BASIS

LEGAL REQUIREMENTS: Your data may be processed to fulfill the obligations established by law, regulations and, in general, by the legislation applicable from time to time. The legal basis of the processing is the fulfillment of a legal obligation to which the Data Controller is subject (art. 6 par. 1, letter c) GDPR). In the case of processing special data, the legal basis is art. 9 par. 2 letter b) GDPR i.e. to fulfill the obligations and exercise the specific rights of the data controller or the data subject in the field of labor law and social security and social protection. The processing is necessary. Any refusal to provide the requested Data or their inaccuracy, could make it impossible to establish and/or continue the relationship with the Data Controller.

SELECTION AND EVALUATION OF THE APPLICANT: to examine the application and assess the candidate. The processing is necessary is necessary in order to take steps at the request of the data subject prior to entering into a contract (Article 6, paragraph 1, letter b) GDPR). With reference to the possible processing of special data, the data subject has given explicit consent to the processing of those personal (Article 9, paragraph 2, letter a) GDPR).

The processing is necessary. Failure to provide the above Personal Data, may result in the inability to follow up on the application selection and evaluation process. 

KEEP THE CANDIDATE’S CURRICULUM VITAE ON FILE: to assess the suitability of the applicant to new job positions. The legal basis for the processing of data is the legitimate interest of the Joint Data Controllers (art. 6, par. 1, letter. f) GDPR). The processing is optional and the data subject may oppose such processing any time. Any refusal could make it impossible to be evaluated for a future positions.

DEFEND A RIGHT:

whenever it is necessary to verify, exercise or defend a right of the Joint Data Controllers in judicial proceedings. The legal basis for the processing consists of the legitimate interest of the Joint Data Controllers (Article 6, paragraph 1 letter f) GDPR), relating to the right to defend and exercise one’s own rights or those of a third party.

Where the legal basis for the processing is the legitimate interest of the Data Controller, the Data Controller shall ensure that it has previously carried out an assessment to ensure the proportionality of the processing so that the rights and freedoms of the Data Subjects are not adversely affected, considering the reasonable expectations of the Data Subjects in relation to the specific processing activity. Data Subjects may request further information on the above assessment by sending an e-mail to the Joint Data Controllers.

The Joint Data Controllers also inform the Data Subject that he/she has the possibility to object, at any time, to the processing of his/her Personal Data based on legitimate interests.

LEGAL PURPOSES:

processing is necessary to comply with a legal requirement (Article 6, paragraph 1 letter c) GDPR) to which the joint data controllers are bound. Personal data may also be processed in order to comply with requests by the competent administrative or judicial authorities and, more generally, by public bodies in compliance with legal procedures.

The provision of data is necessary to enable compliance with regulatory obligations and failure to provide them will make it impossible for the Joint Data Controllers to carry out the recruitment process in all its stages.

DATA RETENTION PERIOD

The data will be processed and stored for the entire period of the job opening (in case of positive outcome of the application, the data will be processed and stored according to the relevant privacy policy: employees or travel coordinators). 

Subsequently, the data will be kept for 2 years following the end of the selection phase, or for a period of five years for purposes of judicial defense of the rights of the Joint Data Controllers.

Furthermore, and without prejudice to the above, the Joint Data Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the need for their retention for a period of time not exceeding that required by the purposes for which the data were collected and processed. The Joint Data Controller may retain Personal Data to comply with the law or to exercise or defend any right or claim in legal proceedings. Once the purposes for which the Personal Data were collected and processed have been achieved, the Joint Data Controller will implement appropriate measures to anonymize them, so that the data subject cannot be identified.

CATEGORIES OF RECIPIENTS 

The Data will be processed by employees of the Joint Data Controller expressly authorized to process the Data based on instructions and subject to the adoption of appropriate measures to protect the Data in relation to all the purposes indicated above.

The following subjects may become aware of the Data in relation to the processing purposes set out in this privacy policy and may process the Data both as independent data controllers and as data processors duly appointed by the Joint Data Controller (the list of such processors and autonomous data controllers is available upon request via e-mail to be sent to [email protected] ):

  • Companies belonging to OneDay Group (the group to which WeRoad is part of) providing services;
  • IT service providers for the management of contact and e-mail databases, digital service providers and IT consultants who provide technical assistance to WEROAD; 
  • subjects who can access the Data by virtue of the legal provision provided for by the law of the European Union or by that of the Member State to which the Joint Data Controller is subject.

DATA TRANSFER OUTSIDE THE EEA (EUROPEAN ECONOMIC AREA)

The Data will be stored on servers and/or archives located within the European Union or in countries that give adequate guarantees of protection of personal data. 

The Joint Data Controller undertakes to transfer personal data to third countries:

  • ensuring that the country to which the personal data will be sent ensures an adequate level of protection, as required by Article 45 of the GDPR; or
  • complying with the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA (these clauses are approved under Article 46 (2) of the GDPR).

METHODS OF DATA PROCESSING 

The Data will be processed in compliance with the principles of correctness, lawfulness and transparency, through manual and automated methods and through the use of paper and electronic means, in any case within the limits of the purposes of the processing(s) of the data established by this information and, in any case, always guaranteeing the security and confidentiality of your Data.

RIGHTS OF THE DATA SUBJECTS

You can at any time exercise the following rights under the conditions and within the limits set out in Articles 12-22 of the GDPR by sending an email to [email protected]

  • Right to rectification of inaccurate personal data and to obtain the integration incomplete personal data (Article 16 GDPR);
  • Right to erasure of personal data: the data subject may request that his/her data be erased if it is no longer necessary for the purposes mentioned above, in the event of withdrawal of consent or his / her objection to the processing, in case of unlawful processing, or if there is a legal obligation to erase (Article 17 GDPR);
  • Right to restriction of processing: the data subject shall have  the right to obtain  restriction of processing where one of the following applies : the data subject disputes the accuracy of the personal data, for the period enabling the Controller to verify the accuracy of the  personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and  requests the restriction of their use instead; although the Data Controller no longer needs the personal data for the purposes of the processing, the personal data are required by the data subject for the establishment , exercise or defense  of legal claims; the data subject has objected to the processing, pending verification  whether the Controller’s legitimate reasons prevail over those of the data subject (Article 18 GDPR);
  • Right to object to the processing: the data subject may object at any time  to the processing of his/her  data , unless the Data Controller demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, pursuant to Article 6(1)(e) or (f) of the GDPR, including profiling (Article 21 GDPR);
  • Right to portability: the data subject shall have  the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her provided to a data controller and has the right to transmit such data to another data controller without hindrance from the data controller to whom he or she has provided it where: the processing is based on consent, or on a contract (Article 20 GDPR);
  • Right to lodge a complaint with the supervisory Authority (Article 77 GDPR)..

In the event that the data subject considers that the processing of personal data carried out by the Joint Data Controller is in violation of the  provisions of Regulation (EU) 2016/679, the data subject has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State in which he/she usually resides or works or in the place where the alleged violation of the regulation occurred (in Italy the Garante per la Protezione dei Dati Personali https://www.garanteprivacy.it/  ) or to act before the appropriate courts.

Updated: July 2024